Thursday, August 23, 2012

The Poor State of Cyber Intelligence

I recently had the privilege of speaking at a government cyber conference which was sponsored by one of the three-letter agencies and which included analysts from all 16 agencies that comprise the U.S. Intelligence Community (IC). Besides myself there were a number of other well-known and well-respected speakers. My session focused on Russia and their technology priorities, but the first question that the moderator asked me had to do with the the fact that I was apparently wrong regarding who created Stuxnet. His point in raising that issue was not to embarrass or shame me but to have me talk about how intelligence analysts must not be afraid to be wrong; about how important the role of negative analysis is along with the dangers associated with mirror imaging (i.e., a cognitive trap in which an intelligence analyst imagines that the target thinks like he does). Another cognitive trap is target fixation, where an analyst becomes fixated on one hypothesis and only sees the evidence that supports it. I see "cyber intelligence" analysts falling into that trap almost all the time.

Regardless of the problems faced by trained analysts in the IC, the state of cyber intelligence as its practiced by information security practitioners and others who are not trained in the science of rigorous analysis is often exponentially worse. The word "intelligence" is used to describe everything from a clipping service to threat data. The only thing worse are the marketing pitches promoting what their so-called "cyber intelligence" product will do for the customer - which is everything short of bringing him to orgasm. Don't call the result of your work analysis if you haven't performed any negative analysis to test your hypothesis. Call it conjecture, or opinion, because that's what it is.

I'm writing a chapter on this topic for my next book "Assumption of Breach" and my paper on the same subject will soon be published by the U.S. Air Force so I'm not going to go into further detail here except to say that if cyber intelligence analysts want to do justice to their craft, I encourage them to read Dick Heuer's "Psychology of Intelligence Analysis" (.pdf) and find ways to apply it to their work in the cyber field. Another excellent resource is "Understanding Rigor in Information Analysis". Right now, between mirror-imaging and target fixation, many cyber intelligence analysts are missing huge gaps in the threat landscape and are doing a great disservice to both their customers and their craft.